hacking into our domain - suggestions on how to block

following on from one of my other questions, someone is trying to brute force guess our Administrator password. There were 3000+ attempts yesterday over a 3 hour period to guess the Administrator password. I need suggestions on:

a) how to stop it

and

b) how to track who it is

I have done the folowing so far:

- changed the administrator user name (and the password to a very strong one)

Also, if you suggest enabling logging on our firewall, please tell me how to do it for a pix 515!

Thanks for the links. The first one describes how account locking policies are not really effective for web based services, which is correct, but it doesnt really help us all that much, since we are using the default web sites set up by Small Business Server 2003. We cant really edit the pages to use CATCHAS, since we dont have the expertise. However, Im pretty sure that our attacks are coming through our websites, since this is the failure audit logged in the event viewer:

is the workstation name something on your network?
the first thing I'd be looking for is - do you have someone logged in as administrator on their desktop that's hitting your web site. This is legitimate access but of course the local administrator account on a client machine's going to have access to nothing on your server, generating the errors again and again ad nauseum.
You can take a look at your IIS logs (make sure source IP is being logged) to see what IP the requests were coming from at the time of the security audit log failures. Don't forget your IIS logs will be in GMT+0hrs.

I've also shifted this across to the Windows Security Topic area. The Experts there might be able to shed some more light on the situation but above would be my best guess at what's actually going on.

Hi, what we do here is that we rename the real administrator account and create another account named "administrator" with no group membership (not even users) so these b*stards can play without risking to compromise true admin account.

DITSSINET - I have already renamed the account, but havent created a new one in its place. Surely its sufficient just to change the name? Why give them ANY account to play with, even if it has no rights?

alimu - I have checked the IIS logs, but it only looks like legitimate traffic. I expected there to be more entries with failed username/password messages, but I couldnt see any. IP logging is enabled in the default website properties, as are most of the other logging options. In response to your other question, the workstation name in the above log IS something on our network - it is in fact the server name and the caller username is the server name plus a '$' - any of this mean anything?

We again had 2000 attempts yesterday - if I could find out the IP of these attempts I would love to block it

Hi, you won't find anything in the IIS log for this type of attempt. This is made in RPC mode with administrative shares.

I suggest to create an account named "administrator" with no group membership because it's the default name of the administrator built-in account. This is a diversion... If the administrator account exists, they'll try to break it: even if they succeed, this is a waste of time. during this time, your real admin account is safe. Therefore your system is safe.

The "$" is for hidden shares: every windows machines (unless disabled in the registry) have these administratives shares: (\\servername\c$).

From what I see in your log above: I think the user is logged-on on the local administrator account of his workstation and the event log is only taking the "current username". I wouldn't bother, this can easily be an accident. If I'm logged on the local administrator account on my workstation and I try to access our intranet, I'll generate the same event in the event log.